Skip to content
Cloudflare Docs
Docs DirectoryAPIsSDKs

Email authentication

Learn about SPF, DKIM, and DMARC for secure and deliverable email sending.

Email authentication verifies sender identity and improves deliverability. Cloudflare Email Service handles authentication automatically, but understanding these concepts helps troubleshoot issues.

SPF (Sender Policy Framework)

SPF ensures that no one else can send emails with your domain by authorizing which mail servers are allowed to send on your behalf.

Email Service configures separate SPF records for sending and routing:

  • Email Sending SPF record on cf-bounce.yourdomain.com:

    TXT cf-bounce.yourdomain.com "v=spf1 include:_spf.mx.cloudflare.net ~all"

  • Email Routing SPF record on the root domain:

    TXT yourdomain.com "v=spf1 include:_spf.mx.cloudflare.net ~all"

SPF works by:

  1. Publishing authorized IP addresses in DNS
  2. Recipient servers checking your SPF record
  3. Comparing the sending IP against authorized IPs
  4. Passing or failing based on the result

DKIM (DomainKeys Identified Mail)

DKIM ensures that emails have not been tampered during transit by cryptographically signing them with your domain's private key.

How DKIM works:

  1. Email headers and body are signed with a private key
  2. DKIM-Signature header is added to the email
  3. Public key is published in DNS
  4. Recipients use the public key to verify the signature

Email Service uses separate DKIM selectors for sending and routing:

  • Email Sending: cf-bounce._domainkey.yourdomain.com
  • Email Routing: cf2024-1._domainkey.yourdomain.com

Cloudflare automatically generates and manages DKIM keys. You add the provided DNS records from the dashboard.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC ensures that emails claiming to be from your domain actually pass SPF and DKIM checks, telling recipients what to do with emails that fail authentication.

DMARC record example:

TXT _dmarc.yourdomain.com "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com"

DMARC policies:

  • p=none - Monitor only (recommended to start)
  • p=quarantine - Quarantine suspicious emails
  • p=reject - Reject unauthenticated emails

Deployment strategy:

  1. Start with p=none to monitor authentication
  2. Gradually increase to p=quarantine
  3. Finally implement p=reject after confirming legitimate mail authenticates

Key benefits

Email authentication provides:

  • Deliverability: Improves inbox placement
  • Security: Protects your domain from spoofing
  • Reputation: Maintains good sender reputation with ISPs

Cloudflare Email Service handles authentication automatically, but you need to configure the DNS records for SPF, DKIM, and DMARC as provided in your dashboard. Email Sending and Email Routing use separate DNS records -- refer to Domain configuration for the full details.